PSD2 and Strong Customer Authentication: new rules set to change how bank customers' identity is checked
As part of the European directive PSD2 (the Revised Directive on Payment Services), banks and other payment providers will have to implement strong customer authentication, a mechanism designed to enhance the technical requirements for identity verification. Edward Corcoran, Senior Manager for Regulation and Internal Control Area at BBVA , sheds light on what strong authentication is and what its impact will be.
Use of electronic payments and internet banking has grown rapidly in Europe. In this year’s Consumer Trends report the European Banking Authority found that the total number of non-cash payments in the EU increased by 7.3% in 2017, to 134 billion transactions.
This growth explains why European authorities, concerned about potential risks to customers from fraud, passed sweeping new payment security rules as part of the second Payment Services Directive (PSD2).
From this September, European banks and other payment firms will be required to implement Strong Customer Authentication on a wide range of payments and other operations, like logins to bank mobile apps and bank websites.
Authentication processes are used to confirm that a customer is who they say they are. Strong Customer Authentication will require payment firms to check this using at least two separate pieces of information, known as authentication factors. These factors fall into three groups:
- Knowledge: something the customer knows, such as a password or PIN.
- Possession: something the customer has, such as a debit card or a mobile phone.
- Inherence: something the customer is, such as their fingerprint.
Many of these factors will be familiar to users already: customers regularly use chip (a payment card) and PIN to make physical payments; use a code received by SMS to make a purchase online; or use their fingerprint to unlock their phone and to access their bank’s app.
But with the introduction of the new rules, some existing factors will need to be updated or replaced. Together with the increasing use of bank apps and mobile phones, this is likely to mean new authentication approaches appear in the future.
For example, when making a purchase on a website a user could receive a notification on their smartphone allowing them to authenticate directly in their banking app, or authentication could even be made “invisible” by using behavioural biometric factors, such as how a customer clicks, types and navigates on a webpage.
In some circumstances payment firms can decide not to apply Strong Customer Authentication - for example when a customer makes a low value contactless payment. This will allow them to provide a smoother user experience, as long as they are confident there is a low risk of fraud.
Customers will start to see changes to the user experience when paying in person with a payment card or when logging in to their banking app or website from September 2019 onwards.
But the most significant impacts will be in e-commerce. This is because one of the most widely used factors at the moment, the card number and security code on the back (known as CVV), will no longer be considered safe enough. The implementation of alternative factors could make the checkout process more complex and lead to customers abandoning purchases.
One of the most widely used factors at the moment, the card number and security code on the back (known as CVV), will no longer be considered safe enough
In addition, to be able to continue to accept card payments online, merchants will need to work with their payment provider to adapt their systems to authentication processes known as 3DSecure.
However, recognising the challenge this poses and the need to prevent disruption to e-commerce, European authorities have extended the deadline for the application of the new rules to online purchases. This means most online shoppers won’t see significant differences in September 2019, but buying experiences will likely change from late 2020 onwards.